Ratelimit Backscatter ACL ?

[RickG]

Is there away to apply (or create a new) ACL to ratelimit a form of spam?

We're seeing a lot of activity that looks like the snippet below. I know this is not backscatter in the traditional sense as its all coming from the same source ... its just unusual one user is being targeted vs. a dictionary attack.

Notice the mail is from the same IP. It has passed a slew of HELO/EHLO tests as well as made it through major RBL checks in order to arrive at the User Unknown (require verify = recipient) stage.

I'd like to be able to ratelimit this type of repetitive connection as its wasting resources going through RBL and spam checks.

Any suggestions would be appreciated.

Code:

2008-07-18 03:25:44 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Polina@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:25:46 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<JUlija@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:25:48 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Veronika@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:25:50 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Vera@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:25:53 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Ivan@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:25:55 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Nina@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:25:57 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Anton@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:25:59 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Maksim@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:26:02 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Filipp@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown
2008-07-18 03:26:04 H=ns67.mdwebhosting.com.au (aurora.websiteactive.com) [75.125.52.98] F=<Viktorija@lickshotclothing.com.au> rejected RCPT <user1@clientsdomain.com>: User Unknown

[lloyd_tennison]

And why does "Attempt to block dictionary attacks" not do it for you?

[RickG]

And why does "Attempt to block dictionary attacks" not do it for you?

Great question.

If you'll look at the snippet from the maillog you'll see that the from address is changed with every message, even though they are all from the same host / IP.

This has always been a way to "bypass" the Dictionary Attack script, even when it was under Chirpy's fine control. Once a spammer figures out how many messages it takes before they are blocked, they change the number of repetitions of each from address. We've watched this in our maillog ... if we lower the "$rcpt_fail_count" value it will hold for a few days, but then the spammers change the repititions of messages (using unique from addresses) trying to bypass the block.

[websnail.net]

I've been seeing something very similar with my server.

It seems that the script/bot is using the "Sender Verification Callouts" and a dictionary attack to find the valid email addresses and then using the valid responses as the faked sender for their spam.

In effect using the restrictions and requirements against us.

Net result is a massive amount of backscatter spam into the thousands.

Any thoughts?



EDIT: Forget that is sounds like I missed the announcement about Chirpys solution being exploited.

Looking like I have a much bigger problem to worry about now. :/